I think a case could be made that it's unauthorized access, since the prankster is definitely not supposed to be using the system for those purposes, regardless of how accessible it is. Same as if you walked into a bank or something and surreptitiously plugged a malicious USB drive into one of their machines.

Maybe it would make a difference if the prankster was an employee, and not just some random person, but I doubt it.